iliaa                                    Sun, 26 Jul 2009 15:14:18 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=286360

Log:
Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions).

Bug: http://bugs.php.net/49026 (Open) proc_open() can bypass 
safe_mode_protected_env_vars restrictions
      
Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/ext/standard/proc_open.c
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/proc_open.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS   2009-07-26 14:49:23 UTC (rev 286359)
+++ php/php-src/branches/PHP_5_2/NEWS   2009-07-26 15:14:18 UTC (rev 286360)
@@ -8,6 +8,8 @@
   --with-curlwrappers). (Jani)
 - Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference).
   (Jani)
+- Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
+  restrictions). (Ilia)
 - Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe)
 - Fixed bug #48962 (cURL does not upload files with specified filename).
   (Ilia)

Modified: php/php-src/branches/PHP_5_2/ext/standard/proc_open.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/standard/proc_open.c       2009-07-26 
14:49:23 UTC (rev 286359)
+++ php/php-src/branches/PHP_5_2/ext/standard/proc_open.c       2009-07-26 
15:14:18 UTC (rev 286360)
@@ -30,6 +30,7 @@
 #include "php_string.h"
 #include "safe_mode.h"
 #include "ext/standard/head.h"
+#include "ext/standard/basic_functions.h"
 #include "ext/standard/file.h"
 #include "exec.h"
 #include "php_globals.h"
@@ -152,6 +153,34 @@
                                if (string_length == 0) {
                                        continue;
                                }
+                               if (PG(safe_mode)) {
+                                       /* Check the protected list */
+                                       if 
(zend_hash_exists(&BG(sm_protected_env_vars), string_key, string_length - 1)) {
+                                               php_error_docref(NULL 
TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot override protected environment 
variable '%s'", string_key);
+                                               return env;
+                                       }
+                                       /* Check the allowed list */
+                                       if (BG(sm_allowed_env_vars) && 
*BG(sm_allowed_env_vars)) {
+                                               char *allowed_env_vars = 
estrdup(BG(sm_allowed_env_vars));
+                                               char *strtok_buf = NULL;
+                                               char *allowed_prefix = 
php_strtok_r(allowed_env_vars, ", ", &strtok_buf);
+                                               zend_bool allowed = 0;
+
+                                               while (allowed_prefix) {
+                                                       if 
(!strncmp(allowed_prefix, string_key, strlen(allowed_prefix))) {
+                                                               allowed = 1;
+                                                               break;
+                                                       }
+                                                       allowed_prefix = 
php_strtok_r(NULL, ", ", &strtok_buf);
+                                               }
+                                               efree(allowed_env_vars);
+                                               if (!allowed) {
+                                                       php_error_docref(NULL 
TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot set environment variable '%s' 
- it's not in the allowed list", string_key);
+                                                       return env;
+                                               }
+                                       }
+                               }
+
                                l = string_length + el_len + 1;
                                memcpy(p, string_key, string_length);
                                strcat(p, "=");

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2009-07-26 14:49:23 UTC (rev 286359)
+++ php/php-src/branches/PHP_5_3/NEWS   2009-07-26 15:14:18 UTC (rev 286360)
@@ -11,6 +11,8 @@
   --with-curlwrappers). (Jani)
 - Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference).
   (Jani)
+- Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
+  restrictions). (Ilia)
 - Fixed bug #49012 (phar tar signature algorithm reports as Unknown (0) in
   getSignature() call). (Greg)
 - Fixed bug #49020 (phar misinterprets ustar long filename standard).

Modified: php/php-src/branches/PHP_5_3/ext/standard/proc_open.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/proc_open.c       2009-07-26 
14:49:23 UTC (rev 286359)
+++ php/php-src/branches/PHP_5_3/ext/standard/proc_open.c       2009-07-26 
15:14:18 UTC (rev 286360)
@@ -30,6 +30,7 @@
 #include "php_string.h"
 #include "safe_mode.h"
 #include "ext/standard/head.h"
+#include "ext/standard/basic_functions.h"
 #include "ext/standard/file.h"
 #include "exec.h"
 #include "php_globals.h"
@@ -152,6 +153,34 @@
                                if (string_length == 0) {
                                        continue;
                                }
+                               if (PG(safe_mode)) {
+                                       /* Check the protected list */
+                                       if 
(zend_hash_exists(&BG(sm_protected_env_vars), string_key, string_length - 1)) {
+                                               php_error_docref(NULL 
TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot override protected environment 
variable '%s'", string_key);
+                                               return env;
+                                       }
+                                       /* Check the allowed list */
+                                       if (BG(sm_allowed_env_vars) && 
*BG(sm_allowed_env_vars)) {
+                                               char *allowed_env_vars = 
estrdup(BG(sm_allowed_env_vars));
+                                               char *strtok_buf = NULL;
+                                               char *allowed_prefix = 
php_strtok_r(allowed_env_vars, ", ", &strtok_buf);
+                                               zend_bool allowed = 0;
+
+                                               while (allowed_prefix) {
+                                                       if 
(!strncmp(allowed_prefix, string_key, strlen(allowed_prefix))) {
+                                                               allowed = 1;
+                                                               break;
+                                                       }
+                                                       allowed_prefix = 
php_strtok_r(NULL, ", ", &strtok_buf);
+                                               }
+                                               efree(allowed_env_vars);
+                                               if (!allowed) {
+                                                       php_error_docref(NULL 
TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot set environment variable '%s' 
- it's not in the allowed list", string_key);
+                                                       return env;
+                                               }
+                                       }
+                               }
+
                                l = string_length + el_len + 1;
                                memcpy(p, string_key, string_length);
                                strcat(p, "=");

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to